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Abstract 

This paper is a companion technical report to the article "Continuation-Passing C: from 
threads to events through continuations" . It contains the complete version of the proofs of 
correctness of lambda-lifting and CPS-conversion presented in the article. 
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1 Introduction 



This paper is a companion technical report to the article "Continuation-Passing C: from threads 
to events through continuations" [1] . It contains the complete version of the proofs presented in 
the article. It does not, however, give any background or motivation for our work: please refer 
to the original article. 

2 Lambda-lifting in an imperative language 

To prove the correctness of lambda-lifting in an imperative, call-by- value language when functions 
are called in tail position, we do not reason directly on CPC programs, because the semantics of 
C is too broad and complex for our purposes. The CPC translator leaves most parts of converted 
programs intact, transforming only control structures and function calls. Therefore, we dehne a 
simple language with restricted values, expressions and terms, that captures the features we are 
most interested in (Section [3TT]). 

The reduction rules for this language (Section 12.1.11) use a simplified memory model without 
pointers and enforce that local variables are not accessed outside of their scope, as ensured by 
our boxing pass. This is necessary since lambda-lifting is not correct in general in the presence 
of extruded variables. 

It turns out that the "naive" reduction rules dchned in Section [2. 1.1 1 do not provide strong 
enough invariants to prove this correctness theorem by induction, mostly because we represent 
memory with a store that is not invariant with respect to lambda-lifting. Therefore, in Section ^. 21 
we define an equivalent, "optimised" set of reduction rules which enforces more regular stores 
and closures. 

The proof of correctness is then carried out in Section r2.4l using these optimised rules. We first 
define the invariants needed for the proof and formulate a strengthened version of the correctness 
theorem (Theorem 12.281 Section |2.4.1|) . A comprehensive overview of the proof is then given in 
Section 12.4.21 The proof is fully detailed in Section 12.4.51 with the help of a number of lemmas 
to keep the main proof shorter (Sections 12.4.31 and 12.4.41) . 

The main limitation of this proof is that Theorems 12.91 and 12.281 are implications, not equiva- 
lences: we do not prove that if a term does not reduce, it will not reduce once lifted. For instance, 
this proof does not ensure that lambda-lifting does not break infinite loops. 

2.1 Definitions 

In this section, we define the terms (Definition I2.1j) . the reduction rules (Section 12. Lip and the 
lambda-lifting transformation itself (Section l2.1.2[) for our small imperative language. With these 
preliminary definitions, we are then able to characterise liftable parameters (Definition 12.81) and 
state the main correctness theorem (Theorem 12.91 Section [2.1 .3() . 

Definition 2.1 (Values, expression and terms). Values are either boolean and integer constants 
or 1, a special value for functions returning void. 

v ::= 1 | true | false | n E N 

Expressions are either values or variables. We deliberately omit arithmetic and boolean oper- 
ators, with the sole concern of avoiding boring cases in the proofs. 

e '■■= v | x | . . . 
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Terms are consist of assignments, conditionals, sequences, recursive functions definitions and 
calls. 

T ::= e | x := T | if T then T else T | T ; T 
| letrec f(x± . ..x n ) = T in T \ /(T,...,T) 

Our language focuses on the essential details affected by the transformations: recursive func- 
tions, conditionals and memory accesses. Loops, for instance, are ignored because they can be 
expressed in terms of recursive calls and conditional jumps — and that is, in fact, how the split- 
ting pass translates them. Since lambda-lifting happens after the splitting pass, our language 
need to include inner functions (although they are not part of the C language), but it can safely 
exclude goto statements. 

2.1.1 Naive reduction rules 

Environments and stores Handling inner functions requires explicit closures in the reduction 
rules. We need environments, written p, to bind variables to locations, and a store, written s, to 
bind locations to values. 

Environments and stores are partial functions, equipped with a single operator which extends 
and modifies a partial function: ■ + {•!—>•}. 

Definition 2.2. The modification (or extension) f of a partial function f , written /' = 4 
y}, is defined as follows: 

{y when t = x 
f(t) otherwise 
dom(/) U {x} 

Definition 2.3 (Environments of variables and functions). Environments of variables are defined 
inductively by 

p ::= e \ (x,l) ■ p, 

i.e. the empty domain function and (respectively). 

Environments of functions associate function names to closures: 

F ■ {f,g,h, ■ ■ ■ } -> {[Xxi . . . x n .T, p, J 7 ]}. 

Note that although we have a notion of locations, which correspond roughly to memory 
addresses in C, there is no way to copy, change or otherwise manipulate a location directly in 
the syntax of our language. This is on purpose, since adding this possibility would make lambda- 
lifting incorrect: it translates the fact, ensured by the boxing pass in the CPC translator, that 
there are no extruded variables in the lifted terms. 

Reduction rules We use classical big-step reduction rules for our language (Figure [TJ p. H]). 

In the (call) rule, we need to introduce fresh locations for the parameters of the called 
function. This means that we must choose locations that are not already in use, in particular in 
the environments p' and T . To express this choice, we define two ancillary functions, Env and 
Loc, to extract the environments and locations contained in the closures of a given environment 
of functions T . 



fit) = 
dom(J') = 
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(val) — (var) 



p x = I 6 dom s 



v s ~^v s x s —?->sl s 

P , „.s' ; r- 1 , „/ „ s P . „.s' t.s' P . ./a" 



v p x — I G dom s a > v b > v 



a 

(assign) — - — (seq) 

x :=a s — ^ a ; &•_£_> 

T T 

a s -^true s ' b s '~^v s " a s false 8 ' c s '—^v l 

(if-t.) ^ — f — (if-f.) 



if a then b else c s — — > V s if a then b else c s — — > v s 

T T 

b s —^V s ' 
T' 

J 7 ' = J 7 + {/ i-> [Aii ■ • • x n .a, p, J]} 

(letrec) 

letrec f{x\ . . . x n ) = a in 6 s > v s 

J- f = [Xxi . . . x n .b, p' , J-'] p" = (afi, l\) ■ . . . ■ (x n , l n ) U fresh and distinct 
(call) 



/(ai...a„) Sl -^+V 



Figure 1: "Naive" reduction rules 



Definition 2.4 (Set of environments, set of locations) . 

Env(JP) = [J {p, p' | [\ Xl . . . x n .M, p, T'\ G Im(.F), p' G Env(^')} 

Loc(.F) = |J{Im(p) | p G Env(J")} 
A location I is said to appear in T iff I £ Loc(J r ). 
These functions allow us to define fresh locations. 

Definition 2.5 (Fresh location). In the (call) rule, a location is fresh when: 

- I (ji dom(s„ + i), i.e. I is not already used in the store before the body of f is evaluated, and 

- I doesn't appear in T' + {/ t->- T /}, i.e. I will not interfere with locations captured in the 
environment of functions. 

Note that the second condition implies in particular that I does not appear in either J 7 or p' . 
2.1.2 Lambda-lifting 

Lambda- lifting can be split into two parts: parameter lifting and block floating[2]. We will focus 
only on the first part here, since the second one is trivial. Parameter lifting consists in adding a 
free variable as a parameter of every inner function where it appears free. This step is repeated 
until every variable is bound in every function, and closed functions can safely be floated to 
top-level. Note that although the transformation is called lambda-lifting, we do not focus on a 
single function and try to lift all of its free variables; on the contrary, we define the lifting of a 
single free parameter x in every possible function. 
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Smart lambda-lifting algorithms strive to minimize the number of lifted variables. Such is not 
our concern in this proof: parameters are lifted in every function where they might potentially 
be free. 

Definition 2.6 (Parameter lifting in a term). Assume that x is defined as a parameter of a 
given function g, and that every inner function in g is called hi (for some i € NJ. Also assume 
that function parameters are unique before lambda-lifting. 

Then the lifted form (M)^ of the term M with respect to x is defined inductively as follows: 

(1), = 1 (n)*=n 
(true)^ = true (false)^ = false 
{y)*=V and (y := o), = y := (a)„ ( even ify = x) 

(a ; b\ = (a), ; (6), 
(if a then b else c)„ = if (a) r then (b) r else (c)„ 

letrec f(x x . . . x n x) = (a), in (&)„ i/ / = h t 
letrec f{x\...x n ) = {a) <e in otherwise 

( a n)*,^) if f = hi for some i 
/((ai)*,.-.,(arj)J otherwise 



(letrec /(xi . . . x„) = a in 6) # = 
(/(oi . ..a n ))„ 



2.1.3 Correctness condition 

We show that parameter lifting is correct for variables defined in functions whose inner functions 
are called exclusively in tail position. We call these variables lift able parameters. 
We first define tail positions as usual [T]: 

Definition 2.7 (Tail position). Tail positions are defined inductively as follows: 

1. M and N are in tail position in if P then M else N . 

2. N is in tail position in N and M ; N and letrec f(x\ . . . x n ) = M in N. 

A parameter x defined in a function g is liftable if every inner function in g is called exclusively 
in tail position. 

Definition 2.8 (Liftable parameter). A parameter x is liftable in M when: 

- x is defined as the parameter of a function g, 

- inner functions in g, named hi, are called exclusively in tail position in g or in one of the 
hi. 

Our main theorem states that performing parameter-lifting on a liftable parameter preserves 
the reduction: 

Theorem 2.9 (Correctness of lambda-lifting). If x is a liftable parameter in M, then 

3t,M £ v l implies 3t' , (M)l — ^ v 1 ' . 

e e 

Note that the resulting store t' changes because lambda-lifting introduces new variables, hence 
new locations in the store, and changes the values associated with lifted variables; Section I^H is 
devoted to the proof of this theorem. To maintain invariants during the proof, we need to use 
an equivalent, "optimised" set of reduction rules; it is introduced in the next section. 
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2.2 Optimised reduction rules 

The naive reduction rules ( Section 12. 1.1JI are not well-suited to prove the correctness of lambda- 
lifting. Indeed, the proof is by induction and requires a number of invariants on the structure 
of stores and environments. Rather than having a dozen of lemmas to ensure these invariants 
during the proof of correctness, we translate them as constraints in the reduction rules. 

To this end, we introduce two optimisations — minimal stores (Section I2.2.1|) and compact 
closures (Section I2.2.2[) — which lead to the definition of an optimised set of reduction rules 
(Figure [2 Section l2.2.3[) . The equivalence between optimised and naive reduction rules is shown 
in Section l2~3l 

2.2.1 Minimal stores 

In the naive reduction rules, the store grows faster when reducing lifted terms, because each 
function call adds to the store as many locations as it has function parameters. This yields stores 
of different sizes when reducing the original and the lifted term, and that difference cannot be 
accounted for locally, at the rule level. 

Consider for instance the simplest possible case of lambda-lifting: 



At the end of the reduction, the store for the original term is {! x i-> 1} whereas the store for the 
lifted term is {l x t— > i— > 1}. More complex terms would yield even larger stores, with many 
out-of-date copies of lifted variables. 

To keep the store under control, we need to get rid of useless variables as soon as possible 
during the reduction. It is safe to remove a variable x from the store once we are certain that 
it will never be used again, i.e. as soon as the term in tail position in the function which defines 
x has been evaluated. This mechanism is analogous to the deallocation of a stack frame when a 
function returns. 

To track the variables whose location can be safely reclaimed after the reduction of some term 
M, we introduce split environments. Split environments are written pr\p, where px is called the 
tail environment and p the non-tail one; only the variables belonging to the tail environment may 
be safely reclaimed. The reduction rules build environments so that a variable x belongs to px if 
and only if the term M is in tail position in the current function / and a; is a parameter of /. In 
that case, it is safe to discard the locations associated to all of the parameters of /, including x, 
after M has been reduced because we are sure that the evaluation of / is completed (and there 
are no first-class functions in the language to keep references on variables beyond their scope of 
definition). 

We also define a cleaning operator, • \ •, to remove a set of variables from the store. 

Definition 2.10 (Cleaning of a store). The store s cleaned with respect to the variables in p, 
written s\p, is defined as s\p — s|dom(s)\lm(o) ■ 

2.2.2 Compact closures 

Another source of complexity with the naive reduction rules is the inclusion of useless variables in 
closures. It is safe to remove from the environments of variables contained in closures the variables 
that are also parameters of the function: when the function is called, and the environment 
restored, these variables will be hidden by the freshly instantiated parameters. 



letrec g(x) = (letrec h() = x in h()) in g(l) 
letrec g(x) — (letrec h(y) = y in h(x)) in g(l) 



(original) 
(lifted) 



G 



This is typically what happens to lifted parameters: they are free variables, captured in 
the closure when the function is defined, but these captured values will never be used since 
calling the function adds fresh parameters with the same names. We introduce compact closures 
in the optimised reduction rules to avoid dealing with this hiding mechanism in the proof of 
lambda-lifting. 

A compact closure is a closure that does not capture any variable which would be hidden 
when the closure is called because of function parameters having the same name. 

Definition 2.11 (Compact closure and environment). A closure [Xxi . . . x n .M, p, J-] is compact 
if Vi, Xi dom(p) and T is compact. An environment is compact if it contains only compact 
closures. 

We define a canonical mapping from any environment J 7 to a compact environment J 7 *, 
restricting the domains of every closure in J 7 . 

Definition 2.12 (Canonical compact environment). The canonical compact environment J 7 * is 
the unique environment with the same domain as J- such that 

V/ e dom(T),Ff={\x 1 ...x n .M,p,r} 

implies f = \\x\ . . . aJn--^)P|doiii(p)\{:ci...a:„}> 

2.2.3 Optimised reduction rules 

Combining both optimisations yields the optimised reduction rules (Figure [2j p. [8]), used Sec- 
tion 12.41 for the proof of lambda-lifting. We ensure minimal stores by cleaning them in the (val) , 
(var) and (assign) rules, which correspond to tail positions; split environments are introduced in 
the (call) rule to distinguish fresh parameters, to be cleaned, from captured variables, which are 
preserved. Tail positions are tracked in every rule through split environments, to avoid cleaning 
variables too early, in a non-tail branch. 

We also build compact closures in the (letrec) rule by removing the parameters of / from the 
captured environment p' . 

Theorem 2.13 (Equivalence between naive and optimised reduction rules). Optimised and naive 
reduction rules are equivalent: every reduction in one set of rules yields the same result in the 
other. It is necessary, however, to take care of locations left in the store by the naive reduction: 

M e =^=> v e iff 3s, M e -^v s 

e e 

We prove this theorem in Section 12.31 

2.3 Equivalence of optimised and naive reduction rules 

This section is devoted to the proof of equivalence between the optimised naive reduction rules 
(Theorem EDS}. 

To clarify the proof, we introduce intermediate reduction rules (Figure[3J P-EJj with only one 
of the two optimisations: minimal stores, but not compact closures. 

The proof then consists in proving that optimised and intermediate rules are equivalent 
( Lemma 1 2 . 1 5 1 and Lemma 12.161 Section [2.3.11) . then that naive and intermediate rules are equiv- 
alent (Lemma 12.211 and Lemma T2.221 Section f2. 3. 21) . 

, T . i Lcmma l2.22l T , Lcmma l2.15l ^ n -, 

Waive rules -< -» intermediate rules < -> Optimised rules 

Lcmma l2.21l Lcmma l2.16l 
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Pt ■ p x = I £ dom s 
(val) (var) 

v s = ez^ v s\ pt x ^ s rw 

a 5 > v s p T ■ p x = 1 £ dom s a s > u s 6 i; 8 

(assign) ■ (seq) ■ 

x := a s 1 *'+{^}W a ; b s v' s " 

a* =^=^ true 8 ' 6 s ' a* false 5 ' c s ' -^-> «' 

(iF-T.) : (IF-F.) 



if a then b else c s PT ^ P > w s if a then b else c s PT ^ P > v l 



T 



T' 

, P = PT ■ p\dom(p T -p)\{x 1 ...x n } T' = T + {f [Xx\ . . . x n .a : p , J 7 }} 

(letrec) 11 : 

letrec f(xi...x n ) = a in b s > v s 

J- f — [Xxi . . . x n .b, p , J-'] p" = (x±, l\) ■ . . . ■ (x n , l n ) U fresh and distinct 

Vi.a/ 4 -ig^ v ^ b s n+1 +{i^v l} p"\p y s' 

(call) 



Figure 2: Optimised reduction rules 



2.3.1 Optimised and intermediate reduction rules equivalence 

In this section, we show that optimised and intermediate reduction rules are equivalent: 



Intermediate rules r Lcmma 2 - lj -> Optimised rules 

Lcmma [2. 161 

We must therefore show that it is correct to use compact closures in the optimised reduction 
rules. 

Compact closures carry the implicit idea that some variables can be safely discarded from the 
environments when we know for sure that they will be hidden. The following lemma formalises 
this intuition. 

Lemma 2.14 (Hidden variables elimination). 

p T -(x,l)\p p T -{xJ)\(x,l')-p 

Vl,l',M s = ) v s iff M s > v s 

yl v M s_£T±M L ^ v s- lff M s /»r-(».0l(x,O ;£ = ^ J 

Moreover, both derivations have the same height. 

Proof. The exact same proof holds for both intermediate and optimised reduction rules. 

By induction on the structure of the derivation. The proof relies solely on the fact that 
Pt ■ (x,l) ■ p = pr ■ (x, I) ■ (x, V) ■ p. 
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Pt ■ p x = I G dom s 
(val) ■ (var) ■ 

pt\p . PtIp . 

PT-P , PT'P , , Pt|P 

a s > w s p T ■ p x = I g dom s a s > u s 6 s > i/ s 

(assign) — ; (seq) ; — 

PT p , . PT p , „ 

ir := a s > 1'+{1^v}\pt a . b s > y" 

T T 

\PT-P , , Pt\p ,, \PT-P i , Pt\p 

a s ) true" b s ) v s a 8 > false 8 c s > 

(IF-T.) (IF-F.) 



PtIp „ PtIp 

if a then b else c s > v s if a then fe else c s > ?r 

J 7 J 7 

PtIp 

b s > V s 



J 7 ' 

s p' = Pt-P J 7 ' = J 7 + {.f ^ [Xxi. . .x n .a,p,T}} 

(LETREC) ; 

PtIp , 

letrec f{x\ . . .x n ) = a in b s > V s 



(call) 



J- f = [\x\ . . . x n .b, p', J 7 '] p" = (xi, h) ■ . . . ■ (x n ,l n ) k fresh and distinct 

p"|p' 

jp-'+I/m-j 7 /} 



\PT'P ( , -, P |p 

Vi,a s * ; » v, s ' +1 b^+i+Vi^v,} E>v < 



pt\p ,. 
/( ai ...a„) Sl W 



Figure 3: Intermediate reduction rules 



(seq) p T ■ (x,l) ■ p = p T ■ {x, I) ■ (x, V) ■ p. So, 



\p T -(x,l)-(x,l')-p , \pr-(x,l)-p 

^>v s iff a s =»u' 



Moreover, by the induction hypotheses, 

p T -{x,l)\(x,l')-p „ , p T -(x,l)\p „ 

b s =» v' s iff 6 s > v' s 

Hence, 

p T -(x,l)\(x,l')-p „ p T -(x,l)\p „ 

a; b s > v' s iff a ; b* v' s 

T T 

The other cases are similar. 

(val) 71 s > „ s \PT-(a:J) jgp „s ^sXprixJ) 

J 7 J 7 
(var) • (x,l) • p = pr • (x, I) ■ (x, I') ■ p so, with I" = pt • (x, I) ■ p y, 

PT-(x,l)\p , , ,. pT-(x,()|(x,(')-p 
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(assign) px ■ (x,l) ■ p — pr • (x, I) ■ (x, I') ■ p. So, 



\p T -(x,l)-(x,l')-p , \p T -(x,l)-p 
^ v s iff a s 



Hence, with I" — pt ■ (x, I) ■ p y, 

p T -(x,l)\p , „ p T -(x,l)\(x,l')-p , 

y ■— a s — y I s + i l i->v}\p T -(x,l) jg- ._ a s ^ +{l ^v}\p T -(x,l) 

(if-true) and (if- false) are proved similarly to (seq). 

(letrec) pr • (x,l) ■ p = pr • {x, I) • (x, V) ■ p = p' . Moreover, by the induction hypotheses, 

PT-{x,1)\(x,1')-P , p T -(x,l)\p , 

b s — » v s iff b s $v s 



Hence, 



p T -(x,l)\(x,l')-p , 
letrec f{x\ . . .x n ) = a in b s > v s iff 

PT-(x,l)\p 

letrec f(xi . . .x n ) — a in b ^ v 



(call) p T ■ (x,l) ■ p = p T ■ (x, I) ■ (x, V) ■ p. So, 



\p T -(x,l)-(xd')-p \ PT -(x,l)-p 

Vi,a? iff a' > v ' +1 



Hence, 



PT-(X,1)\(X,1')-P , p T -(x,l)\p , 

f(a 1 ...a n ) Sl =»„«W-(*,0 iff f( ffll _ 0n )»i > v s \pt-(x,i)_ n 

Now we can show the required lemmas and prove the equivalence between the intermediate 
and optimised reduction rules. 

Lemma 2.15 (Intermediate implies optimised). 

Pt\p , „„\„ i 

IfM s } v s then M s =^L> v s . 

Proof. By induction on the structure of the derivation. The interesting cases are (letrec) and 
(call), where compact environments are respectively built and used. 

(letrec) By the induction hypotheses, 

Since we defined canonical compact environments so as to match exactly the way compact en- 
vironments are built in the optimised reduction rules, the constraints of the (letrec) rule are 
fulfilled: 

J 7 '* = J 7 , + {/ ^ \\ X \ . . . x n .a, p', J 7 *]}, 

hence: 

letrec f{x\ . . . x n ) = a in 6 s PT ^ P > v s 
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(call) By the induction hypotheses, 



W Si \PT-P , S i+ i 

vi, a i > Vi 



T, 



and 



P"\P' 



(.F'+tf-KF/}), 

Lemma |2 . 141 allows to remove hidden variables, which leads to 



Besides, 

and 
Hence 



J 7 * / — \x\ . . •a!n-6,P|domO')\{a!i-a!n}'^ 7 * 

(J"' + {/ ^ J"/})* = J"'* + {/ -> J"* /} 



/(ai...a„) 51 =^ V S 'W. 



(val) u s Pt|p ; >t;«W 



(var) x s Pr|p > sl s W 



J 7 , 



(assign) By the induction hypotheses, a ! 



\pt-p 



v s . Hence, 



x := a s Pt|p > 1 s'+{i^v}\pt 



(seq) By the induction hypotheses, 



a > v 



PT \ p ^ v 's" 



T, 



Hence, 



a : b* 



(if-true) and (if- false) are proved similarly to (seq). 
Lemma 2.16 (Optimised implies intermediate). 

// M s PT _\ P > v s ' then yg such that Q* = F, M s ^ 



T 



□ 



Proof. First note that, since Q* = J 7 , T is necessarily compact. 

By induction on the structure of the derivation. The interesting cases are (letrec) and (call), 
where non-compact environments are respectively built and used. 
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(letrec) Let Q such as — J- . Remember that p 1 — pt ■ p\doia(pT-p)\{xi...x n }- 

Let 

Q' = G + {f i-» [Xxi . ..x n .a,p T ■ p,F]} 
which leads, since T is compact (J 7 , = J 7 ), to 

By the induction hypotheses, 

Pt\p , 

b s > u fl 



Hence, 



PrlP 

letrec /(xi . . . i„) = a in 6 s > v'' 

G 



(call) Let £ such as = T. By the induction hypotheses, 

\pt-p 

Vi, a 4 > ^ 

e 

Moreover, since 5* f = J 7 f, 

Q f = [Xxx . ..x n .b, (xi,li) ■ (xj,lj)p',g'] 

where Q' * = J~' , and the Zj are some locations stripped out when compacting Q to get T . By the 
induction hypotheses, 

r, i p"\p' i 

Lemma T2. 141 leads to 

G'+{f^G /} 

Hence, 

Pt|p ,. 
G 

Pt\p , 

(val) VQ such as Q„ = J 7 , v s > v s 

G 



Pt\p . 

(var) V£ such as = T, x s > s Z 



Ipt-p , 

(assign) Let Q such as C<* = T. By the induction hypotheses, a s > u s . Hence, 

G 

x:=a s > I s +{^}\pt 
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(seq) Let Q such as 5* = T ' ■ By the induction hypotheses, 

Pt-P , , Pt|p 



$ v s b s > v' s 



Hence 

pt|p , „ 
a ; b s > u' s 

6 

(if-true) and (if- false) are proved similarly to (seq). □ 

2.3.2 Intermediate and naive reduction rules equivalence 

In this section, we show that the naive and intermediate reduction rules are equivalent: 

Naive rules r Lcmma |2i22j ^ T n t erm ediate rules 

Lemmal2.21l 



We must therefore show that it is correct to use minimal stores in the intermediate reduction 
rules. We first define a partial order on stores: 

Definition 2.17 (Store extension). 

S C s' iff s'|dom( S ) = s 

Property 2.18. Store extension (Q) is a partial order over stores. The following operations 
preserve this order: ■ \ p and • + {/(->• v}, for some given p, I and v. 

Proof. Immediate when considering the stores as function graphs: C is the inclusion, • \ p a 
relative complement, and • + {I i— > v} a disjoint union (preceded by • \ (l,v') when I is already 
bound to some v'). □ 

Before we prove that using minimal stores is equivalent to using full stores, we need an alpha- 
conversion lemma, which allows us to rename locations in the store, provided the new location 
does not already appear in the store or the environments. It is used when choosing a fresh 
location for the (call) rule in proofs by induction. 

Pt|p , 

Lemma 2.19 (Alpha-conversion). If M s > v s then, for all I, for all I' appearing neither 

in s nor in T nor in p ■ px, 

„, m pt[1'/1]\p[1'/1] ,,,,,,, 

T[l'/l] 

Moreover, both derivations have the same height. 

Proof. By induction on the height of the derivation. For the (call) case, we must ensure that the 
fresh locations li do not clash with V . In case they do, we conclude by applying the induction 
hypotheses twice: first to rename the clashing li into a fresh l\, then to rename I into /'. 

Two preliminary elementary remarks. First, provided V appears neither in p ox px, nor in s, 

(s\p)[l'/l} = (s[l'/l})\(p[l'/l}) 

and 

( PT -p)[l'/l] = p T [l'/l]-p[l'/l}. 
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Pt\p , 

Moreover, if M s > v s , then dom(s') = dom(s) \ pt (straightforward by induction). 

T 

This leads to: px — £ => dom(s') = dom(s). 

By induction on the height of the derivation, because the induction hypothesis must be 
applied twice in the case of the (call) rule. 

(call) Vi,dom(sj) = dom(sj + i). Thus, \/i,V £ dom(sj). This leads, by the induction hypothe- 
ses, to 

Moreover , J 7 ' is part of T. As a result, since V does not appear in J 7 , it does not appear in J 7 ', 
nor in T' + {/ ^ T /}. It docs not appear in p' either (since p' is part of J 7 '). On the other 
hand, there might be some j such that lj — V , so V might appear in p" . In that case, we apply 
the induction hypotheses a first time to rename lj in some lj ^ I'. One can chose I'- such that it 
does not appear in s n+ \, T' + {/ i-> T /} nor in p" - p. As a result, V- is fresh. Since lj is fresh 
too, and does not appear in dom(s') (because of our preliminary remarks), this leads to a mere 
substitution in p": 

p"[i'Jh]\p' 

& «»+i+{Ji[i;/Ji]-M'i} ^ v *' 

■F'-H/l-KF/} 

Once this (potentially) disturbing lj has been renamed (we ignore it in the rest of the proof), we 
apply the induction hypotheses a second time to rename I to V: 

r>+{f^rf} 

Now, (s n+1 + {k i ^ Vi})[l'/l] = s n+1 [l'/l] + {k n> Vi}. Moreover, 

T[l'/l] f=[\x 1 ...x n .b,p , [l'/l],-F'[l'/l}} 

and 

+ {/ H- -FfW/l] = F[l'/l] + {.f ^ /} 
Finally, p"[l'/l] = p" . Hence: 

;(,, ,,.)"""" PT[l '' mi ' ,l] ^/m^/n 

(val) v s V'/ l ~\ PT[ ' 7 ' 1|P[ ' 7 'U v s[i'/i]\pt[i'/i] 

{war) s[V /1](pt[1' /I) ■ p[l'/l) x) = s(pr ■ p x) — v implies 

,,,,,, PT[l'/l]\p[l'/l] r ., /m ,,, m 
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(assign) By the induction hypotheses, 

rf/n \(pr-p)[l'/l] ,,,,,, 
a s[l /l] > ■ w s [' /] 

JF[/V] 

Let s" = s' + {p T ■ p x i-)- v}. Then, 

s'[l'/l] + {(pT-p)[l'/l]x^v} = s"[l'/l] 

Hence 

r,/ „, PT[l'/l]\p[l'/l] mi> m\ rum 

x := ' 1 > I s ' / ; ] 

■F[J'/] 

(seq) By the induction hypotheses, 

I(pt-p)[/'/'] ,,,,,,, 

a S [' /'] S [l /I] 

T[l'/\ 

Besides, dom(s') = dom(s), therefore V ^ dom(s'). Then, by the induction hypotheses, 

,,,,,,, Pt[1'/1]\p[V/1] „ , 
b s l l l l \ y v ' s [I /I] 

Hence 

pt[1'/1]\pII'/1] , „.,,.,. 
(if-true) and (if- false) are proved similarly to (seq). 

(letrec) Since V appears neither in p' nor in J 7 , it does not appear in J 7 ' cither. By the 
induction hypotheses, 

Pt[1'/1]\p[1'/1] 
F'll'/l] 

Moreover, 

T'{l'/l}=T{l'/l} + {f^{\x 1 ...x n .a,p'[l'/l],T}} 

Hence 

PT [i'/i]\ P [i'/i] 

letrec f(x\ . . . x n ) = a in b 8 > v s □ 

To prove that using minimal stores is correct, we need to extend them so as to recover the 
full stores of naive reduction. The following lemma shows that extending a store before an 
(intermediate) reduction extends the resulting store too: 

Lemma 2.20 (Extending a store in a derivation). 

Pt\p , 11+ Pr ' p t' 

Given the reduction M s > v e , then Vf □ s, 3t □ s , M > v . 

Moreover, both derivations have the same height. 

Proof. By induction on the height of the derivation. The most interesting case is (call), which 
requires alpha-converting a location (hence the induction on the height rather than the structure 
of the derivation). 

(var), (val) and (assign) are straightforward by the induction hypotheses and Property 12. 181 
(seq), (if-true), (if- false) and (letrec) are straightforward by the induction hypotheses. 
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(call) Let tx 3 s±. By the induction hypotheses, 



. \PT-P 

3t 2 □ sa.ai 1 > vl 2 

T 

t ' PT ' P t-+i 



|p T -p 



+ 1 



The locations ij might belong to dom(t„ + i) and thus not be fresh. By alpha-conversion fLemmal?! 
we chose fresh l\ (not in Im(p') and dom(s')) such that 

By Property 12.181 t n +\ + {/■ H> Vi} 3 s„ +1 + M> Uj}. By the induction hypotheses, 
Moreover, t' \ pr 3 s' \ px- Hence, 

Pt\p .,. 
/(fl!...^)* 1 D^W 1 ^. 

Pt|p 

(var) Let t □ s. w * > w *\ pr and 3i' = i \ /? T 3 s \ p T = s' (Property [2~T5| . 

T 

Pt\p 

(val) Let t □ s. x t > t Z*\ pT and 3i' = t \ p T 3 s \ p T = s' (Property [235) ■ Moreover 



t I = s I because / S dom(s) and t|dom(s) = s - 
(assign) Let t □ s. By the induction hypotheses, 



Hence, 



3t' □ s'V > v t 



,t pr|p ; > 1 t'+{i^v}\PT 



concludes, since t' + {( H \ ^ □ t' + {( ^ f } \ pr (Property 12. 181) 
(seq) Let t 3 s. By the induction hypotheses, 

3t' 3 s',a > u* 

3t" 3 s",b* > i/* 

Hence, 

PtIp „ 
—\.ll —I II 1 ( , / 1 

dt 3 s , a ; o > w 

J 7 
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(if-true) and (if- false) are proved similarly to (seq). 



(letrec) Let t 3 s. By the induction hypotheses, 



Hence, 



Pt\p 

3t' □ s',b s ] > v l 



Pt\p i 

3t □ s , letrec f(xi . . . x n ) — a in 6 s > v □ 



Now we can show the required lemmas and prove the equivalence between the intermediate 
and naive reduction rules. 

Lemma 2.21 (Intermediate implies naive). 

Pt\p , , 

IfM" > v s then 3t' □ s',M s PT ' P > u* . 

Proof. By induction on the height of the derivation, because some stores are modified during the 
proof. The interesting cases are (seq) and (call), where Lemma [2.20l is used to extend intermediary 
stores. Other cases are straightforward by Property 12. 181 and the induction hypotheses. 



(seq) By the induction hypotheses, 



Moreover, 

/ Pt\p , „ 

6 s > v' s . 

Since t' □ s', Lemma [2.201 leads to: 

/ Pt \p 
dt □ s ,0 > V 

T 

and the height of the derivation is preserved. By the induction hypotheses, 
Hence, since C is transitive (Property 12. 18p . 



ru" — i „// is P , It" 

dt □ s , a ; o — — > v 

(call) Similarly to the (seq) case, we apply the induction hypotheses and Lemma [2.201 

3t 2 3 S2,a 1 Sl p > vl 2 (Induction) 

. \PT-P t ' 

3*i+i 3 > v t 1+1 (Lemma H2D1) 

3t i+ i □ t' i+1 □ Sj+i,^** ^ > v-* +1 (Induction) 

— |PT-P t ' irr-rr™, 

3^+1 3 s„+i,o„" > w„" +1 (Lemma l"2.20j) 

3t„+i 3 t' n+1 □ s n+ i, a*" — v^ +1 (Induction) 
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The locations k might belong to dom(i„ + i) and thus not be fresh. By alpha-conversion (Lemma l2.19[) . 
we choose a set of fresh l\ (not in Im(p') and dom(s')) such that 

By Property [2.181 t n+1 + {/■ \-t v t } □ s n+1 + {Z- i-» Uf}. Lemma l2~20l leads to, 

Ci>«i)l/>' 

3t □ s ',6 t "+ 1+{ '*^"' } =^ d*. 

By the induction hypotheses, 

3t' 3 i 3 S ',6*" +1 +K^} > w f _ 



Moreover, t' \ pr 3 s' \ pr ■ Hence, 



(val) u s ^ > u *' with t' = s □ s \ p T = s'. 



(var) x s — s Z s with t' = s^s\pr = s'. 

(assign) By the induction hypotheses, 

3s"^s',a a — ^t/ 

Hence, 

x:=a s _^i*'+{^> 
concludes since <' + {Z M> v} □ s' |{!h>d} (Property I2.18[) . 

(if-true) and (if- false) are proved similarly to (seq). 

(letrec) By the induction hypotheses, 

3t' □ s',b s v s '. 



Hence, 



3t' 3 s', letrec f(xi . . . x n ) = a in 6 s 9 > u* . □ 



The proof of the converse property — i.e. if a term reduces in the naive reduction rules, it 
reduces in the intermediate reduction rules too — is more complex because the naive reduction 
rules provide very weak invariants about stores and environments. For that reason, we add an 
hypothesis to ensure that every location appearing in the environments p, px and J- also appears 
in the store s: 

Im(/3r ■ p) U Loc(J r ) C dom(s). 

Moreover, since stores are often larger in the naive reduction rules than in the intermediate ones, 
we need to generalise the induction hypothesis. 
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Lemma 2.22 (Naive implies intermediate). Assume Im(pr ■ p) U Loc(J r ) C dom(s). Then, 
M s — PT ^_ P > v s ' implies 

Pt\p /. 

VtCs such that lm(p T ■ p) U Loc(J") C dom(i), M* > v s U^mmmpt) . 

J 7 

Proof. By induction on the structure of the derivation. 

(val) Let i C s. Then 

t\p T = s|dom(t)\im(p T ) because s| dom (t) = t 

= s'ldom(t)\im( PT ) because s' = s 



Hence, 



Pt\p . 



(var) Let t \— s such that lm(px ■ p) U Loc(J r ) C dom(t). Note that I G Im(pT ■ p) C dom(t) 
implies t I = s I. Then, 

t\p T = s|dom(t)\im(pT) because s| dom(t ) = t 

= s'|dom(t)\im( PT ) because s' = s 



Hence, 



. Pt\p . 

;* > t l tXpT . 



(assign) Let t \— s such that lm(pT ■ p) ULoc(J r ) C dom(i). By the induction hypotheses, since 
Im(e) = 0, 

PT-P 



Q " =V y S Uom(t) 



,t 



Note that I € lm(px ■ p) C dom(t) implies I G dom(s'| dom ( t )). Then 

(s'ldom(t) + {/•->• «}) \pr = (s' + {l^ f })|dom(t) \ Pt because I G dom(s'| dom(t) ) 

= (s' + {l^ w})|dom(t)\Im(p T ) 

Hence, 

PT \p / 
X ■— a S y ]_(* ldom(t)+{Z>->«})\PT_ 

T 

(seq) Let t \— s such that lm(pT ■ p) U Loc(J r ) C dom(t). By the induction hypotheses, since 
Im(e) = 0, 

. \PT-P ,. 
(J* ) W S ldom(t) 

J 7 

Moreover, s'| do m(t) C s' and Im(pT ■ p) U Loc(J r ) C dom(s'| dom ( t )) = dom(i). By the induction 
hypotheses, this leads to: 

&s'ldom(t) ) w ' S "ldom( 3 '| dom(t) )\Im(p T )^ 

J 7 
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Hence, with dom(s'|dom(t)) — dom(t), 



a . fjt P y w 's"|dom(t)\Im(p T ) _ 



(if-true) and (if- false) are proved similarly to (seq). 

(letrec) Let (Cs such that Im(pT • p) U Loc(J r ) c dom(i). 

Loc(J 7 ') = Loc(7 r ) U lm(pT ■ p) implies Im(pT • p) U Loc(J-"') C dom(i). 
Then, by the induction hypotheses, 

pt\p 



I) 1 ) D S 'ldom(t)\Im(p T ) _ 



Hence, 

Pt\p ,. 

letrec /(xi . . . a; n ) = a in 6 > u s ldom(t)\im( PT ) _ 

(call) Let iCsi such that Im(px ■ p) U Loc(_F) C dom(t). Note the following equalities: 

s l |dom(t) = t 
s 2|dom(t) E s 2 

lm(p T ■ p) U Loc(J") C dom(s 2 |dom(t)) = dom(i) 

s 3|dom(s 2 |dom(t)) = S 3|dom(t) 

By the induction hypotheses, they yield: 

s 2|dom(t) P s 3|dom(t) 

T 

i Ipt - p i 

Moreover, s n+ i| dom(t) C s„ +i implies s n +i|dom(t) + {h 1-4 W J E s «+i + 0* ^ U J (Property [2T8J) 
and: 

Im(p" • p') U Loc(J"' + {/ i-> J"/}) = Im(p") U (Im(p') U Loc(J"')) 

C U Loc(J") 
C U dom(t) 

C dom(s„ + i| dom(t) + {k i ^ Uj}) 

Then, by the induction hypotheses, 

p'V 'i 

^S, l + i| dom(t) +{( i l-^tI i } y v b ldom(s„ + 1 | dom(t) + {i i H+i, i })\Im(p") 
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Finally, 



s'ldom(s n+ i| dom(t) +{i i M.^})\Im(p") \PT = s'|dom(t)U{i i }\{i i } \ PT = s'|dom(t) \ PT 

= (s' \ PT)|dom(i)\im( PT ) (by definition of • \ •) 

Hence, 

p t \p i i\ w 

/(ai . . . a n ) 1 > v (s \Pr)ldo„,( t )\i m( p T ) _ n 

T 

2.4 Correctness of lambda-lifting 

In this section, we prove the correctness of lambda-lifting (Theorem 12. 91 p. [5]) by induction on 
the height of the optimised reduction. 

Section 12.4.11 defines stronger invariants and rewords the correctness theorem with them. 
Section 12.4.21 gives an overview of the proof. Sections 12.4.31 and 12.4.41 prove a few lemmas needed 
for the proof. Section [2.4.51 contains the actual proof of correctness. 

2.4.1 Strengthened hypotheses 

We need strong induction hypotheses to ensure that key invariants about stores and environments 
hold at every step. For that purpose, we define aliasing-free environments, in which locations may 
not be referenced by more than one variable, and local positions. They yield a strengthened ver- 
sion of liftable parameters fDcfinition l2.25p . We then define lifted environments fDcfinition l2.26[) 
to mirror the effect of lambda-lifting in lifted terms captured in closures, and finally reformulate 
the correctness of lambda- lifting in Theorem 12.281 with hypotheses strong enough to be provable 
directly by induction. 

Definition 2.23 (Aliasing). A set of environments £ is aliasing-free when: 

Vp, p' € £,\fx £ dom( / o),V?/ € dom(p'), px = py=>x = y. 
By extension, an environment of functions T is aliasing-free when Env(J r ) is aliasing-free. 

The notion of aliasing-free environments is not an artifact of our small language, but translates 
a fundamental property of the C semantics: distinct function parameters or local variables are 
always bound to distinct memory locations (Section 6.2.2, paragraph 6 in ISO/IEC 9899 [3]). 

A local position is any position in a term except inner functions. Local positions are used to 
distinguish functions defined directly in a term from deeper nested functions, because we need 
to enforce Invariant [3J (Definition I2.25[) on the former only. 

Definition 2.24 (Local position). Local positions are defined inductively as follows: 

1. M is in local position in M, x := M, M ; M, if M then M else M and f(M, . . . , M) . 

2. N is in local position in letrec f{x\ . . . x n ) = M in N. 

We extend the notion of liftable parameter (Definition 12.81 p. [S]) to enforce invariants on 
stores and environments. 

Definition 2.25 (Extended liftability). The parameter x is liftable in (M,J-,px,p) when: 

1. x is defined as the parameter of a function g, either in M or in J- , 

2. in both M and T , inner functions in g, named hi, are defined and called exclusively: 

(a) in tail position in g, or 

(b) in tail position in some hj (with possibly i — j), or 
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(c) in tail position in M , 
3. for all f defined in local position in M , x £ dom^x ■ p) 3i, f = hi, 
4- moreover, if hi is called in tail position in M, then x G dom(pr), 

5. in T , x appears necessarily and exclusively in the environments of the hi 's closures, 

6. J- contains only compact closures and Env(J r ) U {p, px} is aliasing-free. 

We also extend the definition of lambda-lifting (Definition [521 P-© to environments, in order 
to reflect changes in lambda-lifted parameters captured in closures. 

Definition 2.26 (Lifted form of an environment). 

[Axi . . . x n .b, p' , J-'] then 

j [Xxx . . . x n x. (&)„, p'\dom(p')\{x}, (J 7 ')*] when f = hi for some i 
| [Xxi ...x n . (&)„,, p', (J 7 '),] otherwise 

Lifted environments are defined such that a liftable parameter never appears in them. This 
property will be useful during the proof of correctness. 

Lemma 2.27. If x is a liftable parameter in (M, J 7 , px, p)> then x does not appear in 

Proof. Since x is liftable in (M, J 7 , px, p), it appears exclusively in the environments of hi. By 
definition, it is removed when building (J 7 )^. □ 

These invariants and definitions lead to a correctness theorem with stronger hypotheses. 

Theorem 2.28 (Correctness of lambda- lifting) . If x is a liftable parameter in {M, J 7 , px, p), then 

M s v s ' implies (M)' v s ' 

Since naive and optimised reductions rules are equivalent fTheorem 12.131 p. [7]), the proof of 
Theorem 12.91 (v. 15)) is a direct corollary of this theorem. 

Corollary 2.29. If x is a liftable parameter in M, then 

3t,M £ u* implies 3t\ {M)t v 1 ' . 

e e 

2.4.2 Overview of the proof 

With the enhanced liftability definition, we have invariants strong enough to perform a proof by 
induction of the correctness theorem. This proof is detailed in Section [2.4.51 

The proof is not by structural induction but by induction on the height of the derivation. 
This is necessary because, even with the stronger invariants, we cannot apply the induction 
hypotheses directly to the premises in the case of the (call) rule: we have to change the stores 
and environments, which means rewriting the whole derivation tree, before using the induction 
hypotheses. 

To deal with this most difficult case, we distinguish between calling one of the lifted functions 
(/ = ^i) an d calling another function (either g, where x is defined, or any other function outside of 
g). Only the former requires rewriting; the latter follows directly from the induction hypotheses. 

In the (call) rule with / = hi, issues arise when reducing the body b of the lifted function. 
During this reduction, indeed, the store contains a new location I' bound by the environment to 
the lifted variable x, but also contains the location I which contains the original value of x. Our 



IfJ"f = 

on* / = 
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goal is to show that the reduction of b implies the reduction of (&)„, with store and environments 
fulfilling the constraints of the (call) rule. 

To obtain the reduction of the lifted body (b) r , we modify the reduction of 6 in a series of 
steps, using several lemmas: 

- the location I of the free variable x is moved to the tail environment f Lemma 12. 30[) ; 

- the resulting reduction meets the induction hypotheses, which we apply to obtain the 
reduction of the lifted body (&)„; 

- however, this reduction does not meet the constraints of the optimised reduction rules 
because the location I is not fresh: we rename it to a fresh location V to hold the lifted 
variable fLemma 12.31ft : 

- finally, since we renamed I to I', we need to reintroduce a location I to hold the original 
value of x (Lemmas 12.321 and 12.33ft . 

The rewriting lemmas used in the (call) case are shown in Section 12.4,31 

For every other case, the proof consists in checking thoroughly that the induction hypotheses 
apply, in particular that x is liftable in the premises. These verifications consist in checking 
Invariants [3] to [5] of the extended liftability definition (Definition 12. 25ft — Invariants [1] and [2] 
are obvious enough not to be detailed. To keep the main proof as compact as possible, the 
most difficult cases of liftability, related to aliasing, are proven in some preliminary lemmas 
(Section HXU). 

One last issue arises during the induction when one of the premises does not contain the lifted 
variable x. In that case, the invariants do not hold, since they assume the presence of x. But it 
turns out that in this very case, the lifting function is the identity (since there is no variable to 
lift) and lambda-lifting is trivially correct. 

2.4.3 Rewriting lemmas 

Calling a lifted function has an impact on the resulting store: new locations are introduced for the 
lifted parameters and the earlier locations, which are not modified anymore, are hidden. Because 
of these changes, the induction hypotheses do not apply directly in the case of the (call) rule for 
a lifted function hi. We use the following four lemmas to obtain, through several rewriting steps, 
a reduction of lifted terms meeting the induction hypotheses. 

- Lemma 12.301 shows that moving a variable from the non-tail environment p to the tail 
environment px does not change the result, but restricts the domain of the store. It is 
used transform the original free variable x (in the non-tail environment) to its lifted copy 
(which is a parameter of hi, hence in the tail environment). 

- Lemma \2 . 3 1 1 handles alpha-conversion in stores and is used when choosing a fresh location. 

- Lemmas 12.321 and 12.331 finally add into the store and the environment a fresh location, 
bound to an arbitrary value. It is used to reintroduce the location containing the original 
value of x, after it has been alpha-converted to I'. 

Lemma 2.30 (Switching to tail environment). If M 8 PT ^ X ^ JL^ y s an( j x ^ dom(/>r) then 
^ s PT ^ ' v s ldom(s')\{i} . Moreover, both derivations have the same height. 

Proof. By induction on the structure of the derivation. For the (val), (var), (assign) and (call) 
cases, we use the fact that s\pr ■ (x, I) = s'|dom(s')\{;} when s' = s \ pr- 

(val) v s PT ( ^' )Ip > v s \pt-(x,i) an d s \p T - (x,l) = s'| d om(s')\{z} with s ' = s \pt- 
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_ PT-(xX)\p 

s' = s\p T 



(var) y s PT = 9 > s 1' s \pt-(x,1) and s \ pT . (^ j) = s'| dom(s /)\ W , with V = p T • {x,l)-py and 



(assign) By hypothesis, a s Ip t (p'j _g_^ ^ s j ience ^ ._ a s PT ^^ IjL-x, ^ s +{/ n-«}\p r -(x,i) anc j 
s' + {/' ^ v}\p T ■ (x, I) = s'| dom ( s /)\{j} with V — pt ■ (x, I) ■ p y and s' = s' + {V ^v}\p T . 

(seq) By hypothesis, a s l pT ( X > 1 ) _£_^_ v s anc ^ ^ ne i nduc ti on hypotheses, b s ■■ f ' ' 



w s "ldom( S »)\{;} hence 

t o PT'(x,l)\p b "\ 

a ; b s > v b ldo„,( S »)\{i}. 

(if-true) and (if- false) are proved similarly to (seq). 
(letrec) By the induction hypotheses, 

. e pT-(x.l)\p a '\ 

T' 

hence 

letrec f(x x ■ ■ ■ x n ) = a in b s pT ' {x ^ IL^ v ^l d om(«o\{'} 

(call) The hypotheses do not change, and the conclusion becomes: 

/(a 1 „,fl n )^^M^^V.M 

as expected, since s' \pT ■ (x, 1) = s"|dom(s")\{i} with s" = s' \pt D 

Lemma 2.31 (Alpha-conversion). If M s PT ^ P > v s then, for all I, for all V appearing neither 
in s nor in J- nor in p ■ px, 



M s[l'/l] PT[l'/l]\p[l'/l]_^ v „'[l'/l\ 

Moreover, both derivations have the same height. 

Proof. See Lemma I27T51 p. l^TOl □ 

Lemma 2.32 (Spurious location in store). If M s PT ^ P > v s and k does not appear in either 

s, F or pt ■ p, then, for all value u, M s +l k ^ u } PT ^ P ; > v s +{k^u} _ Moreover, both derivations 
have the same height. 



Proof. By induction on the height of the derivation. The key idea is to add (k, u) to every store 
in the derivation tree. A collision might occur in the (call) rule, if there is some j such that 
lj = k. In that case, we need to rename lj to some fresh variable E ^ k (by alpha-conversion) 
before applying the induction hypotheses. 
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(call) By the induction hypotheses, 



Vi, a, 1 ' > v, 

I J- I 

Because fc does not appear in J 7 , 

fc <£ Loc(T' + {/ J-/}) c Locp 7 ) 

For the same reason, it does not appear in p' . On the other hand, there might be a j such that 
lj = k, so k might appear in p" . In that case, we rename lj in some fresh l'j ^ fc, appearing in 
neither s n +i, nor T' or p" ■ p' fLemma l2.31[) . After this alpha-conversion, k does not appear in 
either p" ■ p', T' + {/ i-> J 7 /}, or s n +i + {Zi M- 1?,}. By the induction hypotheses, 

^s n + 1 + {h^v,} + {k^u} P"\P' , y s' + {k^u} 

Moreover, s' + {k t— > u} \ px = s' \ pr + {k i— > u} (since fc does not appear in p^). Hence 

f(a x ...a n ) > -^-> „ «'+{fc^t.} W . 

(val) p ^ p v s +t^ , '}\^ and s + {k ^ M } \ p T = s \ p T + {fc h. w } since fc does 

not appear in pT- 

(var) a: s +{ fe ^"} p ^ p > (s + {k^u})l «+{^«}W > with s + {k ^ U }\ PT = s \p T + {k ^ u} 
since fc does not appear in px, and (s + {fc i— )■ w}) I — s I since fc 7^ Z (fc does not appear in s). 

(assign) By the induction hypotheses, a s +{ fch ^ u } Pr p > v s And k ^ / (since fc does 

not appear in s) then s' + {k M> u) + {I M> w} = s' I {I 4 u} I 4 u}. Moreover, k does not 
appear in px then s' + {/ H> w} + {fc i-> u] \ pt = s' + {I v} \ px + {k M> u}. Hence 

x ._ a s+{k^u\ Pt\p ;> -^s' + {l^v}\p T +{k^u} 
T 

(seq) By the induction hypotheses, 

a S + {k^u} \PT-P ;> true «' + {fc^"} 

Hence 

fl . ^s+{k^u} Pt\p : > u , s " + {fc^ tl } 

(if-true) and (if- false) are proved similarly to (seq). 
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(letrec) The location k does not appear in J 7 ', because it does not appear in either J- or 
p 1 C pt ■ p {J 7 ' = T + {/ i-)- [Axi . . . x n .a, p', T]}). Then, by the induction hypotheses, 

b s+{k^u} PT\P ;- v s' + { k ^u} 
F' 

Hence 

letrec f(x 1 ...x n ) = a in b s+{ - k ^ PT ^ P > v s '+{ k ^. □ 
Lemma 2.33 (Spurious variable in environments). 

Vl,l>,M s =^Mk* V s' iff M s PT<x,l)\^l') ^ v s' 
T " F 

Moreover, both derivations have the same height. 

Proof. See Lemma p. l2~Tl □ 
2.4.4 Aliasing lemmas 

We need three lemmas to show that environments remain aliasing-free during the proof by in- 
duction in Section 12.4.51 The first lemma states that concatenating two environments in an 
aliasing-free set yields an aliasing-free set. The other two prove that the aliasing invariant (In- 
variant |B1 Definition 12.25)) holds in the context of the (call) and (letrec) rules, respectively. 

Lemma 2.34 (Concatenation). If £ U {p, p'} is aliasing-free then £ U {p ■ p'} is aliasing-free. 

Proof. By exhaustive check of cases. We want to prove 

Vpi,P2 S £ U {p ■ p'},Vx G dom(pi),Vy G dom(p 2 ), Pi x = p 2 y =>■ x = y. 

given that 

ypi,p2 G £11 {p,p'},Vx G dom(pi),Vy G dom( j o 2 ), pi x = p 2 y =>■ x = y. 

If pi G £ and p 2 G £ , immediate. If p\ 6 {p ■ p'}, p\ x = p x or p' x. This is the same for p 2 . 
Then p\ x = p 2 y is equivalent to p x = p' y (or some other combination, depending on x, y, p\ 
and p 2 ) which leads to the expected result. □ 

Lemma 2.35 (Aliasing in (call) rule). Assume that, in a (call) rule, 
I '/ = [Axi . • • x n .b, p', J 7 '], 

- Env(7 r ) is aliasing-free, and 

- p" — (xi, li) ■ . . . ■ (x n , l n ), with fresh and distinct locations U. 
Then Env(J-"' + {/ M> J- /}) U {/?', p"} is also aliasing-free. 

Proof. Let £ = Env(7 r ' + {/ h4 J 7 /}) U {p'}. We know that £ C Env(7 r ) so £ is aliasing-free 
We want to show that adding fresh and distinct locations from p" preserves this lack of freedom. 
More precisely, we want to show that 

Vpi,p2 G £ U {/9"},Vx G dom( ( oi),Vy G dom(p 2 ), p\X = p 2 y^x = y 

given that 

Vpi,pa G £,Vx G dom(pi),Vy G dom(p 2 ), pi x = p 2 y x = y. 

We reason by checking of all cases. If p\ G £ and p 2 G £ , immediate. If pi = p 2 = p" then 
p" x = p" y => x = y holds because the locations of p" are distinct. If p\ = p" and p 2 G £ then 
P\x = p 2 y^>x = y holds because p\ x ^ p 2 y (by freshness hypothesis). □ 



2G 



Lemma 2.36 (Aliasing in (letrec) rule). If Env(J r ) U {p,px} is aliasing free, then, for all Xi, 

Env(J") U {p, p T } U {p T ■ P \dom(p T -p)\{x 1 ...x n }} 

is aliasing free. 

Proof. Let £ = Env(J") U {p,px} and p" = p T ■ p\dom( PT - P )\{x 1 ...x n }- Adding p" ', a r estric ted 
concatenation of px and p, to £ preserves aliasing freedom, as in the proof of Lemma 12.341 If 
pi G £ and p2 G £, immediate. If p\ G {p"}, pi x — p x or p' x. This is the same for p 2 . Then 
pi x — p2 y is equivalent to p x — p' y (or some other combination, depending on y, p\ and 
p 2 ) which leads to the expected result. □ 

2.4.5 Proof of correctness 

We finally show Theorem \2ZM 

Theorem 12.281 If x is a liftable parameter in (M , T , px , p) , then 

a t a P T \P - s' • ; • / ji ,r\ s Pt\p , s ' 

M > v implies (M)^ > v 

Assume that a; is a liftable parameter in (M, J 7 , px, p). The proof is by induction on the height 

Pt I P ' 

of the reduction of M s > v s . To keep the proof readable, we detail only the non-trivial 

cases when checking the invariants of Definition 12.251 to ensure that the induction hypotheses 
hold. 

(call) — first case First, we consider the most interesting case where there exists i such that 
/ = hi. The variable a; is a liftable parameter in {hi(a\ . . . a n ), J 7 , px, p) hence in (a;, J- ', e, px ■ p) 
too. 

Indeed, the invariants of Definition 12.251 hold: 

- Invariant [3J By definition of a local position, every / defined in local position in ai is in 
local position in hi(a\ . . . a n ), hence the expected property by the induction hypotheses. 

- Invariant 0J Immediate since the premise does not hold : since the ai are not in tail position 
in hi(a\ . . . a n ), they cannot feature calls to hi (by Invariant ^ . 

- Invariant [5] Lemma \2. 341 p. I2"c?l 
The other invariants hold trivially. 

By the induction hypotheses, we get 

/ \ St \PT-P , s i + 1 
K)* > V i ■ 

(■?•), 

By definition of lifting, (hi(a± . . . a n )) = hi((ai) ^, . . . , (a n ) ^, x) . But a; is not a liftable parameter 
in (b, J 7 ', p" , p') since the Invariant S] might be broken: x ^ dom(p") (x is not a parameter of hi) 
but hj might appear in tail position in b. 

On the other hand, we have x G dom(p'): since, by hypothesis, a; is a liftable parameter in 
(hi(a,\ . . . a n ), J-, px, p), it appears necessarily in the environments of the closures of the hi, such 
as p' . This allows us to split p' into two parts: p 1 — (x, I) ■ p'" . It is then possible to move (x, I) 
to the tail environment, according to Lemma 12.301 

This rewriting ensures that a; is a liftable parameter in (b, J-' + {/ M> J 7 /}, p" ■ (x, I), p'"). 
Indeed, the invariants of Definition 12.251 hold: 
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- Invariant [3] Every function defined in local position in b is an inner function in hi so, by 
Invariant^ it is one of the hi and x G dom(p" • (x, I) ■ p'"). 

- Invariant 21 Immediate since x £ dom(p" ■ (x, I) ■ p'"). 

- Invariant [5] Immediate since J 7 ' is included in J- . 

- Invariant [5J Immediate for the compact closures. Aliasing freedom is guaranteed by 
Lemma [OS] (p. [25]). 

The other invariants hold trivially. 
By the induction hypotheses, 

(b) P"i*> l )\p'" ^ v s'\ dom(s , )Km 

The I location is not fresh: it must be rewritten into a fresh location, since x is now a parameter 
of hi. Let V be a location appearing in neither (J 7 ' + {/ i-)- T /})„, nor s n+ i + {Z^ h-> u^} or 
p" ■ pr ■ Then V is a fresh location, which is to act as I in the reduction of (b) r . 

We will show that, after the reduction, I' is not in the store (just like I before the lambda- 
lifting). In the meantime, the value associated to I does not change (since I' is modified instead 
of I). 

Lemma [2.27l implies that x does not appear in the environments of (J 7 )*, so it does not appear 
in the environments of (T' + {/ h-> J- /}) C (^ r )„ either. As a consequence, lack of aliasing 
implies by Definition 12 .231 that the label I, associated to x, does not appear in (J 7 ' + {/ M> T /}) 
either, so 

+ {/ ^ ^/}) = + {/ H- .F/}). . 

Moreover, I does not appear in s'|dom(s')\{i}- By alpha-conversion (Lemma l2.31[ since V does not 
appear in the store or the environments of the reduction, we rename I to I': 

r b y n +x[l' /i]+{h^H] p"(x,i')\p"' , t ,,'| dom „, m „ 

We want now to reintroduce I. Let v x = s n +x I. The location I does not appear in s n+ i[V /I] + 
{Z, H> Vi}, (T' + {/ i ^ J"/}),, or J') • p"'. Thus, by LemmaES! 



\Bn+l[l'/l] + Ui™i} + V™*} p"(x,i')\p" y v s'\ dom(a , n{li +{i^v m } 

Since 



Sn+i^'/d + & ^ M + {' ^ ^} = s «+i + {' ^ ^} + ft ^ M because Vi, Z ^ Z 4 

= Sn+l + {I i-> w x } + {ij M> «i} because w x = s„+iZ 

= s n+ i + {li m> Vi} + {I' i-> Ur} because Vi, Z' 7^ Zj 

and s'|dom(s')\{;} + ^ u x} = s ' + {I ^ we finish the rewriting by Lemma 12.331 

/.s*„ +I +{? 4 i->v i }+{2'>-MJ x } P"(a:,'')l(a;,0-P / " ^ s' + {;^i, x } 

(J 7 ' + {/^J 7 /}). 
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Hence the result: 



(J 7 )* ^ = [Xxi . . . x n x. (J 7 ') J 

p = (xi, li) ■ . . . ■ (x n , l n )(x, pt x) I and k fresh and distinct 

w • / \ Si \PT-P s i + 1 

(call) ■ 

(/l . (ai ... an)) ^ = ^ t /+{^*}W 

Since I £ dom(/?y) (because a; is a liftable parameter in {hi(a\ . . . a n ), J 7 , pr, p)), the extraneous 
location is reclaimed as expected: s' + {I H> v x } \ pr = s' \ pr- 

(call) — second case We now consider the case where / is not one of the hi. The variable x 
is a liftable parameter in (f(a± . . . a n ), J 7 , px, p) hence in (a,, J 7 , e, pr • p) too. 
Indeed, the invariants of Definition 12.251 hold: 

- Invariant [3j By definition of a local position, every / defined in local position in is in 
local position in f{a\ . . .«„), hence the expected property by the induction hypotheses. 

- Invariant 21 Immediate since the premise does not hold : the are not in tail position in 
/(ai . . . a n ) so they cannot feature calls to hi (by Invariant^). 

- Invariant [5] Lemma \'2. 341 p. 121)1 
The other invariants hold trivially. 

By the induction hypotheses, we get 

> V i J 

and, by Definition 12.61 

(/(CI . . . «„)), = /((ai)», • • • , («n) J. 

If a; is not defined in 6 or J 7 , then ()„ is the identity function and can trivially be applied to the 
reduction of b. Otherwise, x is a liftable parameter in (b, T' + {/ M- J 7 /}, p", p'). 

Indeed, the invariants of Definition 12.251 hold. Assume that x is defined as a parameter of 
some function g, in either b or J 7 : 

- Invariant [3J We have to distinguish the cases where / = g (with x 6 dom(p")) and / ^ g 
(with x dom(p") and x £ dom(p')). In both cases, the result is immediate by the 
induction hypotheses. 

- Invariant 2J li f =/= g, the premise cannot hold (by the induction hypotheses, Invariant [5]) . 
If / = g, x £ dom(p") (by the induction hypotheses, Invariant [5]) . 

- Invariant [5] Immediate since J 7 ' is included in J 7 . 

- Invariant [6j Immediate for the compact closures. Aliasing freedom is guaranteed by 
Lemma l2~35l (p.l26)). 

The other invariants hold trivially. 
By the induction hypotheses, 



(b) 



s n + i + {h^Vi} P IP 



(^/+{/M-^/})» 
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hence: 



(J 7 ), / = [Xxi . . . x n . (b)„, p', (J 7 '),] p" = (xi,h) • ■■■ • (x n ,l n ) k fresh and distinct 

Vz, (ai)„ > f . (o)„ + > v 

(JO. C^+I/-^/}). 
(call) 

(/(a 1 ...a B )),*=g2=>t/W 

(letrec) The parameter x is a liftable in (letrec f(x± . . . x n ) — a in pr,p) so x is a 
liftablc parameter in (b, J 7 ' , pt, p) too. 

Indeed, the invariants of Definition 12.251 hold: 

- Invariants [3] and S) Immediate by the induction hypotheses and definition of tail and local 
positions. 

- Invariant [SJ By the induction hypotheses, Invariant [3] (x is to appear in the new closure if 
and only if / = hi). 

- Invariant [6] Lemma \2. 361 (p. [27)) . 
The other invariants hold trivially. 

By the induction hypotheses, we get 

/, \ s Pt\p s ' 

W* > v . 

Iff ^ hi, 

(letrec f(xi ...x n ) = a in 6), = letrec f(xt ...x n ) = (a), in 
hence, by definition of (J 7 ')*) 

, P' = Pt- p\dom( PT -p)\{x 1 ...x n } (-T 7 '), = (J 7 )* +{/ ^ i Xx i ■■■x n . (a)*,p',F]} 
(letrec) 1 — j 

(letrec f{x\ . . . x n ) = a in b)^ s > v s 

On the other hand, if / = hi, 

(letrec f(x% . . . x n ) — a in b) # = letrec f(x% . . . x n x) = (<z) t in (b)^ 
hence, by definition of (J 7 ')*) 

, . P' = PT ■ p\dom(PT-p)\{xi...x n x} {F') tf = {F)< e +{h i ^[\x 1 ...x n x.{a) tfl p',F]} 
(letrec) 1 — ; j 

(letrec hAxx . . . x n ) — a in bV s > v s 

(^0. 

( val ) («)* = « so 

(val) 

(F), 
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(var) (y)„=y so 

Pt ■ p y = I £ dom s 



(var) 



(assign) The parameter x is liftable in (y := a, J 7 , /9<r, p) so in (a, J 7 , e, ■ p) too. 
Indeed, the invariants of Definition 12.251 hold: 

- Invariant [5] Lemma [2. 341 p. l2l)l 
The other invariants hold trivially. 

By the induction hypotheses, we get 

(«)» > V ■ 

Moreover 

(l/ : = a)* = V : = 

so : 

(a)^ :> w pt ■ p y = I G dom s 
(assign) 1 ■ 

(y:=a) s ^l^'^ 
(•?•), 

(seq) The parameter x is liftable in (a ; &, J 7 , px, p)- If x is not defined in a or J 7 , then () is 
the identity function and can trivially be applied to the reduction of a. Otherwise, x is a liftable 
parameter in (a, J 7 , e, pr • p)- 

Indeed, the invariants of Definition 12.251 hold: 

- Invariant [6] Lemma [2. 341 p. [26] 
The other invariants hold trivially. 

If x is not defined in b or J 7 , then () is the identity function and can trivially be applied to 
the reduction of b. Otherwise, x is a liftable parameter in (6, J 7 , px, p)- Indeed, the invariants of 
Definition 12.251 hold trivially. 

By the induction hypotheses, we get (a) r s Pr P > v s and (b)^ s PT ^ P > v' s . 
Moreover, 

(a ; 6), = (a), ; (&)„ 

hence: 

/ \ s \PT-P s > S ' Pt\p , s " 

( a )* > v (°)» > v 

, , (.7). 

(seq) 



/ i\ s Pt\P , s " 

(a ; 6) > v 

(•?•), 



(if-true) and (if- false) are proved similarly to (seq). 
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3 CPS conversion 



In this section, we prove the correctness of the CPS-conversion performed by the CPC translator. 
This conversion is defined only on a subset of C programs that we call CPS- convertible terms 
f Section 13. ip . We first show that the early evaluation of function parameters in CPS-convertible 
terms is correct (Section I3.2[) . To simplify the proof of correctness of CPS-conversion, we then 
introduce small-step reduction rules featuring contexts and early evaluation (Section I3.3|) . 

In Section 13.41 we define CPS terms, with the push and invoke operators to build and 
execute continuations, and the associated reduction rules. Since the syntax of CPS-terms does 
not ensure a correct reduction, we also define well-formed CPS-terms, which are the image of 
CPS-convertible terms by CPS-conversion. 

The proof of correctness of CPS-conversion is finally carried out in Section 13.51 It consists 
merely in checking that the reduction rules for CPS-convertible terms and well-formed CPS-terms 
execute in lock-step. 

3.1 CPS-convertible form 

CPS conversion is not defined for every C function; instead, we restrict ourselves to a subset of 
functions, which we call the CPS-convertible subset. The CPS-convertible form restricts the calls 
to cps functions to make it straightforward to capture their continuation. In CPS-convertible 
form, a call to a cps function f is either in tail position, or followed by a tail call to another cps 
function whose parameters are non-shared variables that cannot be modified by f . 
In the C language, we define the CPS-convertible form as follows: 

Definition 3.1 (CPS-convertible form). A function h is in CPS-convertible form if every call 
to a cps function that it contains matches one of the following patterns, where both f and g are 
cps functions, e± , . . . , e n are any C expressions and x, y\, . . . , y n are distinct, non-shared 
variables: 





return f(ei, . 




(1) 


x = f (ei , . 


. . , e n ) ; return 


g(x, yi, . 


■ ■ , y n ) ; 


(2) 


f(ei, . 


. . , e n ) ; return 


g(x, yi, . 


• • , y n ) ; 


(3) 




f (ei, 


. . . , e n ) ; 


return; 


(4) 


f(ei, .. 


. , e n ) ; g(x, yx, 


■ ■ ■ , y n ) ; 


return; 


(5) 


x = f (ei , 


. , e n ) ; g(x, yx, 


■ ■ ■ , yJ ; 


return; 


(0) 



Note the use of return to explicitly mark calls in tail position. The forms © to © are only 
necessary to handle the cases where f and g return void; in the rest of the proof, we ignore these 
cases that are a syntactical detail of the C language, and focus on the essential cases (1) and (2). 

To prove the correctness of CPS-conversion, we need to express this definition in our small 
imperative language. This is done by defining CPS-convertible terms, which are a subset of the 
terms introduced in Definition 12.11 (Section T2.ip . A program in CPS-convertible form consists 
of a set of mutually-recursive functions with no free variables, the body of each of which is a 
CPS-convertible term. 

A CPS-convertible term has two parts: the head and the tail. The head is a (possibly empty) 
sequence of assignments, possibly embedded within conditional statements. The tail is a (possibly 
empty) sequence of function calls in a highly restricted form: their parameters are (side-effect 
free) expressions, except possibly for the last one, which can be another function call of the same 
form. Values and expressions are left unchanged. 
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Definition 3.2 (CPS-convertible terms). 



v 



1 | true | false | n G N 



(values) 
(expressions) 
(nested function calls) 
(tail) 
(head) 



expr 
F 



Q 



T 



v | x | ... 

f(expr, . . . , expr) \ f(expr, . . . , expr, F) 
e\Q; F 

expr | x := espr ; T | if e then T else T | Q 



The essential property of CPS-convertible terms, which makes their CPS conversion imme- 
diate to perform, is the guarantee that there is no cps call outside of the tails. It makes con- 
tinuations easy to represent as a series of function calls (tails) and separates them clearly from 
imperative blocks (heads), which are not modified by the CPC translator. 

The tails are a generalisation of Definition 13.11 which will be useful for the proof of cor- 
rectness of CPS-conversion. Note that x = f (ei, . . . , e n ) ; return g(x, yi, . . . , y n ) is 
represented by g{f{e\ . . .e n ),yi ■ ■ -y n )- this translation is correct because, contrary to C, our 
language guarantees a left-to-right evaluation of function parameters. 

Also noteworthy are the facts that: 

- there is no letrec construct anymore since every function is defined at top-level, 

- assignments, conditions and function parameters of / are restricted to expressions, to ensure 
that function calls only appear in tail position, 

- there is no need to forbid shared variables in the parameters of g because they are ruled 
out of our language by design. 

3.2 Early evaluation 

In this section, we prove that correctness of early evaluation, ie. evaluating the expressions 
expr before F when reducing f(expr, . . . ,expr,F) in a tail. This result is necessary to show 
the correctness of the CPS-conversion, because function parameters are evaluated before any 
function call when building continuations. 

The reduction rules may be simplified somewhat for CPS-convertible terms. We do not need 
to keep an explicit environment of functions since there are no inner functions any more; for the 
same reason, the (letrec) rule disappears. Instead, we use a constant environment T holding 
every function used in the reduced term M. To account for the absence of free variables, the 
closures in J- need not carry an environment. As a result, in the (call) rule, p' — e and J-' = T . 

Early evaluation is correct for lifted terms because a lifted term can never modify the variables 
that are not in its environment, since it cannot access them through closures. 

Lemma 3.3. Let M be a lambda-lifted term. Then, 



Proof. By induction on the structure of the reduction. The key points are the use of p' = e in 
the (call) case, and the absence of (letrec) rules. 

(val) and (var) Trivial (s = s'). 



M s 



p 



implies 




33 



(assign) By the induction hypotheses, 

s|dom(s)\Im(p) = s'|dom(s)\Im(p) and 1 G Im (p)^ 

hence 

s|dom(s)\Im(p) = ( s ' + {I I-* «})|dom(s)\Im(p)- 

(seq) By the induction hypotheses, 

s |dom(s)\Im(p) = s> |dom(s)\Im(p) ancl s ' I dom(s' )\Im(p) = s " I dom(s' )\Im(p) • 

Since, dom(s) C dom(s'), the second equality can be restricted to 

s |dom(s)\Im(p) s dom(s)\Im(p) • 

Hence, 

s |dom(s)\Im(p) s |dom(s)\Im(p) • 

(if-true) and (if- false) are proved similarly to (seq). 
(letrec) doesn't occur since M is lambda-lifted, 
(call) By the induction hypotheses, 

{Sn+l + {h !->■ «i})|dom( Sn+l+{it | ->"j})\Im(p".p') s |dom(s„ + i+{/ i H->u;})\Im(p"-p') 

Since p' = e, Im(p") = {k} and dom(s„ + i) n {k} = (by freshness), 

(S n +1 + {h !-> v i})\dom(s n+1 ) = s 'ldom(s„ + i) 

SO S n+ i = s'|dom(s n+ i)- 

Since dom(s) \ Im(p) C dom(s) C dom(s n+ i), 

s n+l |dom(s)\Im(p) — s |dom(s)\Im(p) • 

Finally we can prove similarly to the (seq) case that 

s ldom(s)\Im(p) = s n+l |dom(s)\Im(p) • 

Hence, 

s |dom(s)\Im(p) s |dom( s)\Im(p)- □ 

As a consequence, a tail of function calls cannot modify the current store, only extend it with 
the parameters of the called functions. 

Corollary 3.4. For every tail Q, 

Q s — — > v s implies s C s' . 
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Proof. We prove the corollary by induction on the structure of a tail. First remember that store 
extension (written □ ) is a partial order over stores (Property 12. 181) . defined in Section [2.3.21 as 
follows: s C s' iff s'|dom(s) = s - 

The case e is trivial. The case Q ; F is immediate by induction ((seq) rule), since C is tran- 
sitive. Similarly, it is pretty clear that f{expr, . . . , expr, F) follows by induction and transitivity 
from f(expr, . . . , expr) ((call) rule). We focus on this last case. 

Lemma 13.31 implies: 

(s n +l + {k Wi})| dom ( s?i+1 + ^.^ >1 ,.})y Im (p//. p /) = s'|dom(s„ + i + {i i H^D i })\Im(p"-p')- 

Since p' = e, Im(p") = {k} and dom(s„ + i) n {k} — (by freshness), 

i) s dom(s„ + i) 

SO S n+ i — s'|dom(s n + i)- 

The evaluation of expr parameters do not change the store: s„+i = s. The expected result 
follows: s = s'|dom(s): hence s C s'. □ 

This leads to the correctness of early evaluation. 

Theorem 3.5 (Early evaluation) . For every tail Q , Q s — — >v s implies Q[x\s(p x)] s — ^r^v s 
(provided x G dom(p) and p x S dom(s)). 

Proof. Immediate induction on the structure of tails and expressions: Corollary 13.41 implies that 
s C s" and p x G dom(s) ensures that s(p x) = s"(p x) in the relevant cases (namely the (seq) 
rule for Q ; F and the (call) rule for f(expr, . . . , expr, F)). □ 

3.3 Small-step reduction 

We define the semantics of CPS-convertible terms through a set of small-step reduction rules. 
We distinguish three kinds of reductions: — >t to reduce the head of terms, — >q to reduce the 
tail, and — > e to evaluate expressions. 

These rules describe a stack machine with a store a to keep the value of variables. Since free 
and shared variables have been eliminated in earlier passes, there is a direct correspondence at 
any point in the program between variable names and locations, with no need to dynamically 
maintain an extra environment. 

We use contexts as a compact representation for stacks. The head rules — >t reduce triples 
made of a term, a context and a store: (T,C[],a). The tail rules — >q, which merely unfold tails 
with no need of a store, reduce couples of a tail and a context: {Q,C[ ],). The expression rules 
do not need context to reduce, thus operating on couples made of an expression and a store: 
(e,cr). 

Contexts Contexts are sequences of function calls. In those sequences, function parameters 
shall be already evaluated: constant expressions are allowed, but not variables. As a special case, 
the last parameter might be a "hole" instead, written 0, to be filled with the return value of the 
next, nested function. 

Definition 3.6 (Contexts). Contexts are defined inductively: 

C::=[}\C[[] ; f(v,...,v)]\C[[] ; f(v,...,v, Q)\ 
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Definition 3.7 (CPS-convertible reduction rules). 



expr ; T,C[],a) 




(7) 



(if expr then 



Ti else T 2 ,C[ ],cr) 



(8) 



(if expr then 



Ti else T a ,C[ ],<r) 



(9) 



(expr, C[[ 
(expr, C[[ ] ; 



; /(vi,..., ?;„)], cr) 
/(ui, . . .,v n ,Q)],<j) 



(10) 
(11) 



(expr, [ ],<t) 

<Q,C[ W) 



(12) 



(Q ; /(«!,..., w„),C[]> 
(Q ; /(»!,..., u„,F),C[]) 
(e,C[[] ; /(«!,...,«»)]> 



-+q <Q,C[[] ; /(«!,...,»„)]> 

^ Q (Q ; F,C[[] ; /(«!,..., w n ,e)]> 



(13) 

(14) 
(15) 



w/ien f(x\, . . . , x n ) — T and a = {. 



FFe do not detail the rules for — > e , which simply looks for variables in a and evaluates arithmetical 
and boolean operators. 

Early evaluation Note that Rule Q2] evaluates every function parameter in a tail before the 
evaluation of the tail itself. This is precisely the early evaluation process described above, which 
is correct by Theorem 13.51 We introduce early evaluation directly in the reduction rules rather 
than using it as a lemma to simplify the proof of correctess of the CPS-conversion. 



Unlike classical CPS conversion techniques [5], our CPS terms are not continuations, but a 
procedure which builds and executes the continuation of a term. Construction is performed 
by push, which adds a function to the current continuation, and execution by invoke, which 
calls the first function of the continuation, optionally passing it the return value of the current 
function. 

Definition 3.8 (CPS terms). 

v ::= 1 | true | false n 6 N (values) 
expr ::= v | x | . . . (expressions) 
Q ::= invoke | push f (expr expr) ; Q\ push f(expr, . . . , expr, □) ; Q (tail) 
T ::= invoke expr | x ■= expr ; T | if e then T else T | Q (head) 

Continuations and reduction rules A continuation is a sequence of function calls to be 
performed, with already evaluated parameters. We write • for appending a function to a contin- 
uation, and □ for a "hole" , i.e. an unknown parameter. 



3.4 CPS terms 
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Definition 3.9 (Continuations). 

C::=s\ f(v,...,v)-C /(«,..., v, □) • C 

The reduction rules for CPS terms are isomorphic to the rules for CPS-convertible terms, 
except that they use continuations instead of contexts. 

Definition 3.10 (CPS reduction rules). 

(a; := expr ; T, C, a) — Yt (T, C, <t[x ^ v}) (16) 
when (expr, a) — >* v 

(if expr then T\ else T 2 ,C,a) — >t (Ti,C,a) (17) 

if (expr, a) — >•* true 

(if expr then T x else T 2 ,C,a) — >t (T 2 ,C,<t) (18) 

if (expr, a) — »•* false 

(invoke expr, f(vi, . . . , v n ) ■ C, a) >t (invoke, f(v 1 , ...,v n )-C) (19) 
(invoke expr, f(vi, ■ . ■ , v n , □) -C,a) -> T (invoke, f(vi, v n , v) ■ C) (20) 

when (expr, a) — >* v 
(invoke expr, e, a) — >t v when (expr, a) — >* v 

(Q,C,a) -> T (Q[xi \cr Xi],C) (21) 
/or every Xi in dom(cr) 



(push f( Vl ,...,v n ) ; Q,C)^q (Q, /(«i,..., O-C) (22) 

(push /(«!,...,«„,□) ; Q,C)^ Q (Q, /(«!,...,«„,□)■ C) (23) 

(invoke, f(vi,. . . , u„) • C) -»q (T,C,a) (24) 

wften /(xi, . . . ,x„) = T and er = {x^ i->- 

Well-formed terms Not all CPS term will lead to a correct reduction. If we push a function 
expecting the result of another function and invoke it immediately, the reduction blocks: 

(push /(vi,..., v n , □) ; invoke, C, a) ->• (invoke, f(vi,...,v n ,B) -C,a) -ft 

Well-formed terms avoid this behaviour. 

Definition 3.11 (Well- formed term). A continuation queue is well- formed if it does not end 
with: 

push f(expr, . . . , expr, □) ; invoke . 
A term is well-formed if every continuation queue in this term is well-formed. 

3.5 Correctess of the CPS-conversion 

We define the CPS conversion as a mapping from CPS-convertible terms to CPS terms. 
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Definition 3.12 (CPS conversion). 

(Q ; f(expr, . . . , expr)) k = push f(expr, . . . , expr) ; Q k 
(Q ; f(expr, . . . , expr, F)) k — push f(expr, . . . , expr, □) ; (Q ; F) k 

e A = invoke 
(x := expr ; T) k = x := expr ; T A 
(if expr then T\ else Ta) A = if expr then T A else T k 
expr A = invoke expr 

In the rest of this section, we prove that this mapping yields an isomorphism between the 
reduction rules of CPS-convertible terms and well-formed CPS terms, whence the correctness of 
our CPS conversion (Theorem 13.171) . 

We first prove two lemmas to show that A yields only well-formed CPS terms. This leads 
to a third lemma to show that A is a bijection between CPS-convertible terms and well-formed 
CPS terms. 

CPS-convertible terms have been carefully designed to make CPS conversion as simple as 
possible. Accordingly, the following three proofs, while long and tedious, are fairly trivial. 

Lemma 3.13. Let Q be a continuation queue. Then Q k is well-formed. 

Proof. By induction on the structure of a tail. 

e A = invoke 

and 

(e ; f(expr, . . . , expr)) k = push f(expr, . . . , expr) ; invoke 
are well-formed by definition. 

((Q ; F ) ; f{expr,...,expr)) k = push f (expr expr) ; (Q ; F) k 

and 

(Q ; f(expr, expr, F)) k = push / (expr expr , □) ; (Q ; F) k 
are well-formed by induction. □ 

Lemma 3.14. Let T be a CPS-convertible term. Then T k is well-formed. 

Proof. Induction on the structure of T, using the above lemma. □ 

Lemma 3.15. The k relation is a bijection between CPS-convertible terms and well-formed CPS 
terms. 

Proof. Consider the following mapping from well-formed CPS terms to CPS-convertible terms: 

(push f(expr, . . . , expr) ; Q) J = Q J ; f(expr, . . . , expr) 
(push f(expr, . . . , expr, □) ; Q) w = Q' ; f(expr, . . . , expr, F) 

with Q T =Q' ; F (*) 
invoke 7 = e 
(x := expr ; T) T = x := expr ; T J 
if expr then T\ else T 2 T = if expr then T X T else T 2 T 
(invoke expr) J = expr 

(*) The existence of Q' is guaranteed by well-formedness: 
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- VT, T y = e =>• T = invoke (by disjunction on the definition of T ), 

- here, Q ^ invoke because (push f(expr, . . . , expr, □) ; Q) is well-formed, 

- hence Q y ^ e. 

One checks easily that (T T ) A = T and (T A ) T = T. □ 

To conclude the proof of isomorphism, we also need an (obviously bijective) mapping from 
contexts to continuations: 

Definition 3.16 (Conversion of contexts). 

(N) A = £ 

(C[[) ■ f(v u ...,v n )]) A =f(v 1 ,...,v n ).C 

with (C[ ]) A = C 
(C[{] ; f(v 1 ,...,v n7 Q)]) A =/(«!,..., «„,□)• C 

mi/i (C[ ]) A = C 

The correctness theorem follows: 

Theorem 3.17 (Correctness of CPS conversion). The A and A mappings are two bijections, the 
inverses of which are written T and v . They yield an isomorphism between reduction rules of 
CPS- convertible terms and CPS terms. 

Proof. Lemma 13 . 151 ensures that A is a bijection between CPS-convertible terms and well-formed 
CPS terms. Moreover, A is an obvious bijection between contexts and continuations. 

To complete the proof, we only need to apply A , A , T and v to CPS-convertible terms, contexts, 
well-formed CPS terms and continuations (respectively) in every reduction rule and check that 
we get a valid rule in the dual reduction system. The result is summarized in Figure [U □ 
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(x := expr ; T, C, a) — >t (T, C, a[x i->- v]) 

when (expr, a) — >* v 
(if expr then 7\ else T 2 ,C,a) ^ T (Ti,C,a) 

if (expr, a) — >* true 
(if expr then 7\ else T 2 ,C,a) -+ T (T 2 ,C,a) 

if (expr, a) — >* false 
(invoke expr, /(vi, . . . , u n ) • C, a) Yt (invoke, f(vi, ...,v n )-C) 
(invoke expr, f(vi, . . . , v n , □) • C, a) >t (invoke, f(vi, ...,v n ,v)-C) 

when (expr, a) — >* v 
(invoke expr, e, a) — >t v 

when (expr, a) — >* v 
(Q,C,a) Yt (Q[xi \ a Xi],C) 

for every Xj in dom(cr) 

(Q ; f{v 1 ,...,v n ),C[ ]) — >g (Q,C[[ ] ; f(v u ...,v n )]) (push f(v u ...,v n ) ; Q,C) (Q, f(v u . . . , v n ) ■ C) 

(Q ; f(v u ...,v n ,F),C[]) — >q (Q ; F,C[[] ; f( Vl ,...,v n ,Q)}) (push ... ,«„,□) ; Q',C) — »-g (Q',/(wi, ...,«„,□) -C) 

when Q' = (Q; F) k 

(e, C[[ } ; /(«!, . . . , «„)]> — >g (T, C[],a) (invoke, ...,«„)• C) ^g (T, C, a) 

when /(xi, . . . ,x n ) — T and a — {xi n> u^} 



(x := expr ; T,C[ ],a) — >t (T,C[ },<t[x ^ v}) ^ 
(if expr then 7\ else T 2 ,C[ — t-t (Ti,C[ ],cr) 

(if expr then Tj else T 2 ,C[ ],a) — >t (T 2 ,C[ ],<t) <S> 

(expr,C[[ ] ; f( Vl ,...,v n )},a) <e,C[[ ] ; /(wi, . . . , v„)]) <S> 
(expr,C[[ } ; f(vi,...,v n ,Q)],a) (e,C[[ ] ; . . . , v n , v)\) ^ 

(expr, [ ],a) -> T « 

(Q,C[ ],cr) -> T (<9fe \cr Xi],C[ ]) 



Figure 4: Isomorphism between reduction rules 



References 



[1] William D. Clinger. Proper tail recursion and space efficiency. In Proceedings of the ACM 
SIGPLAN 1998 conference on Programming language design and implementation, PLDI '98, 
pages 174-185, New York, NY, USA, 1998. ACM. 

[2] Olivier Danvy and Ulrik Schultz. Lambda-lifting in quadratic time. In Functional and Logic 
Programming, volume 2441 of Lecture Notes in Computer Science, pages 134-151. Springer- 
Verlag, Berlin, Germany, 2002. 

[3] International Organization for Standardization. ISO/IEC 9899:1999 "Programming Lan- 
guages - C", December 1999. 

[4] Gabriel Kerneis and Juliusz Chroboczek. Continuation-Passing C: from threads to events 
through continuations. January 2012. Submitted for publication. 

[5] G. D. Plotkin. Call-by-name, call-by-value and the lambda-calculus. Theoretical Computer 
Science, 1(2):125-159, December 1975. 



41 



